Method for providing location certificates

ABSTRACT

Methods and apparatus for providing location certificates to certify the position or location of an object are disclosed. The position of the object is computed using radio signals and the secure transmission of the computed position is achieved using public key encryption techniques.

FIELD OF THE INVENTION

The invention relates to methods and apparatus for providing reliablelocation certificates which are used to prove the geographic location ofa particular object or event. More particularly, the invention relatesto establishing to a requestor that an object is being used in itsrestricted area of use, that an object being tracked is in a particulargeographical location, or that an event is confined to a particulararea.

BACKGROUND AND SUMMARY OF THE INVENTION

It is frequently desirable or imperative to reliably know the preciselocation of an object, and to be able to determine that location on areoccurring basis. The object may be highly mobile or relegated to usein a confined area or confined areas.

Objects being transported by vehicle are highly mobile. With respect tosuch objects which are dangerous or controlled, as for example toxicwaste and nuclear materials, it is desirable to be able to reliablymonitor their location during transport between locations. Suchmonitoring may be continuous or may be from point-to-point.

Digital signatures represent objects which may be intended to be usedonly in Highly localized areas. Digital signatures involve the use ofcryptographic keys to sign messages. For legal or security reasons it isat times important to prove or establish that these digital signaturesare being generated within a particular jurisdiction, a specificcomplex, building or room. For example, a digital signature of a bankemployee that is used in various bank transactions would advantageouslybe confined to the location of a guarded bank facility. An employee'scomputer sign-on token may be limited to use at a specified locationsuch as home or the office. For audit and billing purposes the locationof requestors for access to sensitive material or databases is needed.

There are other environments in which it is important to reliably knowthe location of an object. A supplier of electronic broadcasts may needto screen certain locales to black-out reception of certain sportsbroadcasts, concerts, etc., or other signals such as electronic gamblingevents. In other instances, satellite decoder boxes limited to use inlicensed areas are needed.

The present invention uses unique location certificates to track goodsand wares during shipment, establish the location of participants in anetwork, determine the location at which a digital signature wasperformed, ascertain the validity of objects which are expected ormandated to be present within certain geographic bounds and control theuse of security or sensitive devices by limiting their operation tocertain locations.

Determining the location of an object or event involves the employmentof a position determination unit. In accordance with an exemplaryembodiment of the present invention, the position determination unitoperates on the reception of Loran or Global Positioning System (GPS)signals to establish its location. The unit may continuously determineits position or compute its position on request. A secure authorizationunit functions to authenticate the location information reported to arequestor. Specifically, the secure authorization unit, through the useof its private digital signature key and a certificate authenticatesthat the requested position information is provided by a trustedlocation certification unit.

Three basic systems are set forth as exemplary embodiments of thepresent invention, one with a basic location certification unit (LCU), asecond using a sensor, and a third operating on a two-way communicationlink between beacons and a sensor in the LCU. In addition, manyvariations and modifications of these systems are disclosed, and otherswould be readily apparent to those skilled in this art. In thesesystems, there is the ever present danger of attempts by unauthorizedindividuals to breach the security of the system, as for example, by theuse of sophisticated spoofing techniques where false radio broadcasts onLoran or GPS frequencies may be employed to cause the positiondetermination unit to compute a position other than its actual position.The systems of the present invention use techniques and procedures tosafeguard against such eventualities.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a first illustrative embodiment of a location certificationunit;

FIG. 2 shows another illustrative embodiment with a mobile object;

FIG. 3 shows a further illustrative embodiment operating with a two-waycommunication link between a beacon and a sensor at the LCU;

FIG. 4 illustrates the signal timing between and within units of theembodiment of FIG. 3; and

FIG. 5 is a flow chart delineating the sequence of operations performedin the FIG. 3 embodiment.

DETAILED DESCRIPTION OF THE INVENTION

In public key encryption systems, the public keys of a user are theencryption keys published by the user that may be used for privatelycommunicating with the user. Anyone wanting to privately communicatewith the user simply encrypts the message employing the users publicencryption key. Only that user's secret decryption key can be used todecipher the encrypted message.

In order to ensure that a specified public key is one that has actuallybeen created by the specified individual, certificates are provided.Certificates can be thought of as brief messages which are signed by thetrusted authority, and which contain, either explicitly or implicitly, areference to the public key which is being therein certified, and theidentity of the public key's owner. In such an implementation, if “C”has provided a certificate for “A”; then recipient “B” can trust the useof “A's” public key, provided that “B” trusts “C”.

A location certification unit (LCU) as shown if FIG. 1 includes aposition determination unit (PDU) I coupled to a secure authorizationunit (SAU) 2. The units 1 and 2, or at least the sensitive components ofthe units, are contained in a tamper resistant enclosure in such amanner that tampering will trigger an alert signal and erasure ofsensitive information such as authenticating keys stored in the unit.Acceleration fuses can be used to prevent tampering through subjectingthe unit to acceleration or gravitational forces to disturb a clock, ifincluded in the unit. As will be appreciated by those skilled in theart, the nature and degree of security and tamper resistant expedientsincorporated into the system and components will correspond to theanticipated risks.

The PDU 1 includes conventional position determining apparatus forreceiving Loran and/or GPS signals and for computing its position. Thecurrent location or position may be continuously computed andmaintained, or it may be computed only in response to a request.

SAU 2 contains its own private digital signature key stored in a secureprobe-resistant memory 3. This private key has a public aspect which isdigitally signed by the manufacturer, using its well guarded privatekey, thus providing a certificate indicating to the requestor that thepublic key used to communicate with the SAU belongs to a trusted LCU.This certificate may be presented to the requestor R as a part of thelocation certificate. The SAU includes a processor 4 for processing dataand control of internal functions, and a send/receive unit 5 forcommunicating with the requestor R.

While the invention is not limited to any particular digital signaturekey technique, one technique which can be used is the RSA technique ofusing a private digital signature key to sign a message which therequestor or receiving party can validate using the originator's publickey, as described in U.S. Pat. No. 4,405,829 issued to Rivest et al. Inbrief, an intended receiver's public key is made available to thesender, i.e., requestor, and is used for sending an encrypted message.Only the private decryption key at the LCU's receiver can decipher themessage. The decryption key is then used to digitally sign a messagewhich is sent to the original sender or requestor. The recipient orrequestor can verify the signature by encrypting it with the LCU'spublic key. While anyone having the LCU's public key can read thesignature, only the LCU signing the message could have created it.

The certification is provided by the manufacturer's digital signaturewhich may be stored in memory at the SAU and sent to the requestor. Thatis, the manufacture provides a digital signature indicating that thepublic key, used by the requestor, belongs to a trusted LCU, asdescribed, for example, in U.S. Pat. No. 5,214,702 issued to theinventor (which is hereby incorporated by reference). This certificatepresented to the requestor serves as a part of the authenticatedlocation certificate.

In operation, the LCU (FIG. 1) in response to a request computes ordetermines its current position in the PDU 1, authenticates the reportedposition by supplying a digital signature 3a and a certificate 3b in theSAU 2, and sends the message to the requestor R. Additional information3c may be provided in the signed message, as for example, the currenttime/date stamp, the identity of an associate user, and the challengeresponse information supplied by another entity, e.g., requestor.

Verification of the digitally signed message is effected by use of thetrusted manufacturer's public key. The manufacturer's public key is usedby the requestor to determine that a unit's public key is, in fact, in acertification hierarchy and is associated with a trusted LCU. Thisvalidation of the unit's public key is then used to verify the digitalsignature. Any alteration of the digital signature is immediatelydetected. Where multiple levels of certification are used, as ininventor's U.S. Pat. No. 5,005,002 (which is hereby incorporated byreference), the trusted key is used to chain through the certificationhierarchy to ultimately determine that the unit's public key is, infact, associated with a trusted LCU.

Installing LCUs in objects, e.g., digital signing devices, computerlog-on cards, controls for broadcast receivers, or smart cards for usewith broadcast receivers, in combination with means for disabling theuse of such objects, provides for control over the location at which theobjects can be used. Incorporating a LCU in a computer log-on carddesigned to be limited to use at either the office or home, means thatthe defeat of the LCU would require sophisticated techniques such asgenerating false Loran or GPS signals to cause the PDU of the LCU tocompute a false position. Moreover, the presence of other conventionalsafe-guards such as personal identification number (PIN) or passwordrequirements to activate the card would provide significant layers ofprotection against the ordinary thief successfully using the card.

A second embodiment of a LCU is particularly useful for monitoring thelocation of a moving object. Illustrated in F1G. 2, the LCU isincorporated in a system having features which make the locationcertificate spoof resistant, i.e., resistant to being deceived intocomputing a false position. The use of a highly accurate clock 6 in thesensor 7 of the LCU synchronized with a clock 12 of the beacon 10 servesto defeat spoofing of the system. In this embodiment, each beacon 10 isequipped with a private key or a shared private key that is common amongthe beacons. Where beacons share a common key, then each beacon isprovided with its own unique identification. The keys or identificationsare maintained in a memory associated with processor 11. The LCU has oneor more sensors 7 that have access to the beacons' public keys. Abeacon's transmission includes digital authentication of the broadcasttime and an indicator of the beacon's identity.

Under the foregoing conditions, and without the synchronized highlyaccurate clocks, a would-be spoofer, cannot substitute or cause a sensorto confuse one beacon's signal with that of another, nor accelerate orformulate signals. One can, however, copy a beacon's transmission andrebroadcast it at some delayed interval or intervals. The system thenhas need of means to prevent the reception or action on signals that aretoo distant or at wrong angular locations. This is the function of thesynchronized clocks.

When beacons are in orbiting satellites as in the GPS or are in Loranstations, position is determined using two, three or more beacons. Adelayed rebroadcast of a true satellite beacon's message from a falsebeacon would mean that the false beacon is located further out in spaceor on the other side of the Earth. In the latter case, sensing adifferent beacon lying in a direction away from the apparent position ofthe first observed beacons suffices to determine whether the computedposition is true or false. In the former case, the aforementionedsynchronized clocks are used to inhibit the reception and use of thefalse beacon.

With the synchronized clock system, each beacon pre-computes the digitalsignature and its time duration that is due to be transmitted at someprecise time in the future. At the prescribed moment, the first bit ofthe precomputed digital signature is transmitted. The balance of themessage, including an authenticated time stamp, is of predictableduration and is transmitted with each bit coming at a precisely timedinterval. The sensor or receiver at the LCU determines, based on itsinternal clock, the exact moment the transmission was received, and thateach bit after the first bit arrived on schedule. This need not be donein real time but the message may be stored and processed after it hasbeen fully received. The authenticated time stamps are verified usingthe public key associated with each beacon and compared with the sensorclocked time of receipt of the message. An additional time check can bemade by considering the differentials between beacons. The position ofthe LCU is determined by using the time differentials between each ofthe beacons, and the result is checked for consistency. The positioncomputed by the differentials must agree with the time differencebetween the sensor's internal clock and that time broadcast by each ofthe beacons. The position of each beacon is known, from authenticatedbroadcasts or tables stored in the sensor, the speed of the transmittedradio signal is known, then the purported distance/time to each beaconcan be calculated. The calculated times and the measured timedifferentials are compared to see that they are the same.

The degree of accuracy of the clocks sets the degree of accuracy towhich true or false signals can be detected. Therefore, the clocks musthave accurate time intervals and must not drift over long periods oftime. Drift problems can be minimized by resetting the clocksperiodically, recalibrating the sensor clocks from master clocks at thebeacons, using temperature controlled clock environments, and using veryhigh quality accurate clocks or a multiple clock system. Where theclocks are subject to strong gravitational fields or acceleration andrun slower, the fact that the clock runs slower can be taken intoconsideration. Since the speed of light is one foot per nanosecond, thedegree to which spoofing can be controlled is one mile per 5microseconds of drift.

In a third embodiment, illustrated in FIG. 3, the sensor 7 relies on abeacon 10 with a confirmed position and the PDU 1 determines itsposition as a function of being on a radius of the beacon. As in theprevious embodiment, each sensor has a clock 6 synchronized with theclock 12 of the beacon, and maximum position is determined by measuringthe time required to receive the beacon's signal. The need for the highsynchronization of the previous embodiment is reduced by using a two waycommunication path between a beacon and a sensor. Thus, the sensor 7 isprovided with a transmitter 8 compatible for communicating with areceiver 14 in the beacon 10. In addition, the beacon is provided with aprocessor 11 for controlling the transmission and formulating aresponse.

The sensor generates a random challenge number and transmits it to thebeacon. The beacon constructs a response, including its digitalsignature, the sensor's random challenge number and the beacon'sposition. The beacon's clock value and other beacon operatingcharacteristics may also be included in the response.

As illustrated in FIG. 4, each signal exchanged by the sensor and thebeacon has a mark pulse which is the signal to which the time oftransmission is associated and calibrated. The mark pulse can be thefirst, the last or at any other distinguishable point in thetransmission. The signal parts illustrated in FIG. 4 are identified asfollows.

-   -   S_(O)—The observed value of the sensor's clock when the request        is started.    -   V_(O)—The sensor emission time: the (known, previously        calibrated) time interval between S_(O) and the moment the mark        pulse physically escapes from the sensor. This includes whatever        processing time is required to read the clock, store the clock        value, construct the request, etc.    -   T_(O)—The duration of the request signal.    -   T₁—The time for the request signal to move from sensor to        beacon.    -   D₁—The distance which the request signal traverses.    -   M₁—The moment the request's mark pulse impinges on the beacon.    -   V₁—The beacon reaction time—the (known, calibrated) time        required between M₁ and the moment the beacon's clock value is        observed.    -   B₁—The beacon clock value determined after the mark pulse is        determined.    -   B₂—The beacon clock value at the end of transmission receipt.    -   V₂—The beacon trailing reaction time (to determine the clock        value after the transmission is recognized as complete).    -   B_(O)—The overall beacon “processing time”—from the time a        request signal impinges on the beacon, to the moment the        response signal escapes. In the preferred embodiment, this time        is known before the signal is actually computed—it is actually        taken as a “given” which the beacon works to provide.    -   P_(x)—The time required by the beacon to process the signal,        perform the digital signature, prepare the response, and        schedule it for transmission.    -   B₃—The internal clock time which the beacon must observe in        order to commence response emission.    -   V₃—The (known, calibrated) time which is spent by the beacon        after observing a trigger clock value (say B3) until the        response's mark pulse actually escapes the beacon.    -   B₄—The moment the mark pulse escapes the beacon.    -   T₂—The time for the response signal to move from beacon to        sensor.    -   D₂—The distance which the response signal traverses.    -   V₄—The (known, calibrated) sensor time reaction between the        receipt of the response mark pulse, and the observation of the        sensor's clock.    -   S₂—The sensor clock value observed after receiving the response        mark pulse.    -   V₅—The (known, calibrated) sensor time reaction between the        receipt of end of response, and the observation of the sensor's        clock.    -   S₃—The sensor's clock value after recognizing the end of the        response.    -   R_(O)—The expected duration of the response transmission.

Given these variables, the timing, illustrated in FIG. 4, and theprocessing, illustrated in FIG. 5, are as follows:

-   -   1010 The sensor computes a challenge value, constructs the        transmission request (of known length and duration T_(O)).    -   1020 The sensor observes its clock (S_(O)).    -   1030 The sensor emits the request. The calibrated time between        step 1020 and the eventual emission of the mark pulse is a        calibrated constant (V_(O)).    -   1040 The signal impinges on the beacon at M₁.    -   1050 After recognizing the signal, the beacon observes its clock        value (B₁). The process requires known calibrated time        (V₁=B₁−M₁).    -   1060 The beacon receives the balance of the transmission, and        observes its clock value (B₂) at the end. Checks may also be        done to all intermediate transmission pulses to see that they        are properly timed.    -   1070 Validity checks are done. For example, the expected request        transmission time (T_(O)) is checked against the observed time        (B₂−V₂−(B₁−V₁)).    -   1080 The beacon is designated to emit its response after a        predictable duration (B_(O)). Such duration must always exceed        all possible expected intermediate computations and processing        (preferably by some comfortable margin). B_(O) can be constant,        and characteristic of a class of beacons; or can be constant for        each specific beacon; or can be determined as part of each        response (and therefore must be included as information as part        of the response). In any event, whether constant or variable,        the beacon must know (or compute) it prior to constructing the        response.    -   1090 The beacon constructs the response, consisting of, e.g.,        -   a. The sensor's received challenge value.        -   b. The beacon's Location.        -   c. An indication of the Authority which Confirms the the            Location; possibly including a digital signature.        -   Other information, such as, e.g.,        -   d. Any clock value corresponding to a distinguishable beacon            event. In the embodiment shown, this is B₄—the time the mark            pulse is expected to escape. This is computed as:            B₄=B₁−V₁+B_(O)        -   e. The beacon's public key and certificate.        -   f. An indication of the beacon's certifying authority.        -   g. The beacon's identifier.        -   h. The beacon's processing time B_(O).        -   i. The beacon clock's accuracy, granularity, etc.        -   j. The expected length of the response transmission.        -   k. When the location was set.        -   l. Other beacon characteristics.        -   m. Characteristics, or facts, about the Confirming            Authority; including, for example, a digital signature.    -    The beacon then digitally signs at least transmission fields a,        b, c using the beacon's private key.    -   1100 The beacon computes the moment        B₃=B₁−V₁+B_(O)−V₃    -    when emission processing should commence for this response.    -   1110 If the beacon handles multiple signals in parallel, then        the response is queued until time B₃; if the beacon handles        requests serially, then the beacon simply waits until it        observes clock value B₃.    -   1120 On observing clock value B₃, the beacon commences to emit        the already computed response, with expected duration of R_(O).    -   1130 The mark pulse associated with the response escapes the        beacon at time B₄, since the calibrated emission processing time        after observing time B₃ until mark pulse escape is known to be        V₃.    -   1140 The mark pulse impinges the sensor.    -   1150 After recognizing the mark pulse, the sensor observes its        clock and obtains reading S₂. The time required to do this has        been calibrated as V₄.    -    The balance of the response is accepted and verified as        arriving under the expected time and signal constraints.    -   1160 After receiving the end of the response, the sensor takes        observed clock reading S₃, which is calibrated as requiring V₅        seconds to accomplish.    -   1170 The sensor then computes the response transmission duration        (S₃−V₅)−(S₂−V₄)    -    and compares it with expected duration R_(O).    -   1180 If there is a mismatch, a fault is indicated, and the        location operation may be re-performed.    -   1190 The sensor validates the response:        -   Verifies the beacon's digital signature.        -   Verifies the beacon's public key (using, e.g., the beacon's            certificate)        -   Insures it trusts the beacon or its certifier.        -   Identifies and insures it trusts the Confirming Authority.        -   Extracts the authenticated beacon position.    -   1200 Using information about the beacon, supplied by the beacon        or elsewhere, the sensor computes the signal transmit time:        Sn=(S₂−V₄)−B₄+M₁−(S_(O)+V_(O))=S₂−V₄−B_(O)−S_(O)−V_(O)    -   1210 Assuming the sensor was stationary during the signal        exchange, and assuming the signal traveled at “c”, the speed of        light, then        (stt/2)(c)    -    reasonably estimates the distance of the sensor from the        beacon's known authenticated location. Even if the sensor moved        during the exchange, the sensor must have been at least within        this distance at some moment during the exchange. This estimate        may need to be tempered using error estimates based on clock        granularities, wavelengths used by the transmissions, and        inherent clock error bounds.    -   1300 Based on this exchange, provided the beacon included its        clock reading, say B₄ (see (d) in step 1090), the sensor is able        to update its clock by an additive amount:        B₄+(stt/2)(c)−(S₂−V₄)        -   with an accuracy of:        -   plus-or-minus (stt/2)(c)            -   +inherent clock granularities & errors            -   +transmission signal frequency    -    Where the first error term arises from the possibility that the        sensor was moving toward or away from the beacon during the        exchange. If the sensor is known to be fixed, such as using        motion detectors to insure no movement occurs during the        exchange, then the first error term can be omitted.

In the above example of this embodiment, the response includes thebeacon's certificate in its transmission. However, the beacon's publickey may be embedded in the sensor, or may be ascertained in othermanners. Other authenticated digital information may include, thebeacon's identity, expected response time, means by which the locationinformation has been determined, the expected accuracy of the positionalinformation, the authority responsible for determining the beacon'sposition, the level of security ascribed to the device, the timeassociated with the response mark signal, and the authority responsiblefor determining the beacon's clock.

In this embodiment, the precise position of the beacon is a limitingfactor on the correctness of determined position of the PDU. Theposition of the beacon can be determined by Loran, GPS or other radiobased techniques, and it can be confirmed by a trusted calibratingauthority. To insure that the beacon remains stationary once itsposition is established, movement sensors may be provided to generate analert signal upon the sensing of movement or tampering. Where such astationary beacon is moved for any reason, deliberately or by anearthquake, then the position must be redetermined and reconfirmed.

Where the beacon's position is confirmed by a calibrating authority,then the authority is responsible for certifying the accuracy of theposition information. If the beacon determines it own position fromradio signals, then the calibrating authority can only be viewed as aconfirming entity that the beacon is a trusted beacon, and not one thatmay have been spoofed. Hence, certificates by calibrating authoritiesare constructed and appraised in accordance with the function of thecalibrating authority, which may be indicated in the certificate.Moreover, identification of the calibrating authority in the certificateserve to inform the user of same the degree to which positioninformation may be trustworthy.

A stationary beacon may advantageously be used as a source to set ahighly accurate clock in mobile LCUs. As in the example above, where thebeacon includes its clock value B₄ as part of its response, then themobile LCU can set its clock to a trusted accuracy with known error.With reject respect to high acceleration of the LCUs, an accelerationfuse would provide a part of the tamper resistant construction.

While the digital signature has been described using the RSA algorithm,other algorithms such as DSA, symmetric, or the protocols developed byGoldwasser and Micali or by Chaum may be employed. Moreover, thealgorithms and/or protocols may be used in combination.

While the invention has been described in connection with what ispresently considered to be the most practical and preferred embodiment,it is to be understood that the invention is not to be limited to thedisclosed embodiment, but on the contrary, is intended to cover variousmodifications and equivalent arrangements included within the spirit andscope of the appended claims.

1. A secure method of establishing the location of an object bycalculating in-situ the location of the object from received radiosignals wherein the radio signals are received from a beacon via atwo-way communication between the beacon and a sensor on the object,comprising computing and transmitting at said sensor a signal includinga challenge value and observing a clock associated with said sensor,recognizing at said beacon the transmitted sensor signal, observing atthe beacon a clock associated with the beacon, constructing a responsemessage including the sensor's received challenge value, the beacon'slocation, its location certificate and a time stamp, and transmittingthe response message to said sensor, recognizing at said sensor saidtransmitted response message, observing the sensor clock, and validatingthe response message, computing the signal transit time and estimatingthe distance to the beacon, and based on the location of the beacon andthe distance, calculating the location of the sensor and thereby thelocation of the object, and transmitting in response to a request from arequestor a message comprising the digitally signed calculated locationof the object.
 2. A method as in claim 1 and including transmitting acertificate for the object in the message comprising the digitallysigned calculated location of the object.
 3. A method as in claim 1wherein the clocks associated with the beacon and the sensor aresynchronized and including, calculating the transit time from the timestamp and the observed time for receipt of the response message at thesensor and comparing this time with the computed signal transit time. 4.A method as in claim 1 wherein said object includes a sensor with aaccurate clock synchronized with a beacon clock and includes the step ofreceiving a time stamp from the beacon and comparing it with the sensorclock to authenticate the receipt of location information is from avalid beacon.
 5. A method as in claim 1 wherein said beacon and saidsensor each include an accurate clock and includes the step of updatingthe sensor clock in accordance with the time stamp transmitted by thebeacon.
 6. Apparatus for providing location certificates comprising alocation certification unit for receiving radio signals from two or morebeacons, said location certificate certification unit including positiondetermination means and secure authorization means, said secureauthorization means including a private key of a private key-public keypair for digitally signing messages sent to a requesting source, acertificate for the public key certifying that the public key is in factthe public key of the secure authorization means, a clock synchronizedwith clocks in the beacons, means for receiving and processing a timestamp transmitted by a beacon, and means for determining from the timestamp and the clock in the secure authorization means that a receivedradio signal is from a valid beacon, said beacons providing radiosignals from which said position determination means can compute itsposition and said secure authorization means can determine that thesignals are valid, and means for sending to said requesting source uponrequest a digitally signed message including the computed position ofsaid location certificate unit and the certificate for the public keywhich public key is to be used by the requesting source to verify thesigned message.
 7. Apparatus as in claim 6 further comprising means forestablishing a secure two-way communication link between each beacon andthe sensor in the secure authorization means.
 8. Apparatus as in claim 6wherein said location certification unit is a component of a digitalsignature device.
 9. Apparatus as in claim 6 wherein said locationcertification unit is a component of a satellite signal box.
 10. Alocation certification unit comprising a position determination unit, asecure authorization unit coupled to said position determination unit, amemory within said secure authorization unit, a digital signature keystored in the form of digital data in said memory, said key having anassociated public key, a certificate for said public key, saidcertificate being stored in said memory, a sensor for receiving amessage from a beacon that includes the clock time at which the messagewas transmitted and for processing the message to retrieve the clocktime, the sensor including a clock, said position determination unitcomputing from the retrieved clock time and the time of sensing areceived message as indicated by the sensor clock the radial distancethe location certification unit is from the beacon thereby determiningthe location of the location certification unit as being within ageographical area centered on the beacon, and means for communicating toa requestor in response to a request the certified location of saidlocation unit, said certified location comprising the location asdetermined by said position determining unit signed with said digitalsignature key and the certificate for said public key.
 11. A locationcertification unit as in claim 10 wherein said memory further stores apersonal identification number and a password and said locationcertification unit is a component of a computer log-on card.
 12. Alocation certification unit as in claim 10 wherein the locationcertification unit is a component of a digital signature device.
 13. Alocation certification unit as in claim 10 wherein the locationcertification unit is a component of a satellite signal decoder box. 14.A location certification unit as in claim 10 wherein the message from abeacon includes the digital signature of the clock time at which themessage was transmitted, and said sensor has stored therein the publickey of the beacon for verifying the clock time using the public key ofthe beacon.
 15. A location certification unit comprising; a positiondetermination unit for determining the position of the locationcertification unit from received radio signals, a secure authorizationunit coupled to the position determination unit and comprising a memory,a sensor having a clock for providing clock time, and means forcommunicating to a requestor in response to a request a messagecontaining the certified position of the location certification unit asdetermined by the position determination unit, said memory having storedtherein a digital signature key and a certificate for a public keyassociated with the digital signature key, said clock providing a clocktime for validating a received radio signal, the signal containing thetime at which it was transmitted, sensed by the sensor as being from avalid source, and said certified position of the location certificationunit comprising (1) the position of the location certification unit asdetermined by the position determination unit signed using the digitalsignature key and (2) the certificate.
 16. A location certification unitas in claim 15, said sensor further comprising a processor forprocessing sensed radio signals to provide the identity of the source ofthe signal where that information is contained in the signal, and fordecrypting a sensed digitally signed radio signal with the public key ofthe source of the signal to verify the identity of the source and thetime at which the signal was transmitted.
 17. A location certificationunit as in claim 15 wherein time differentials between the time thesensor clock marks a sensed signal and the time at which the signal wassent with respect to a plurality of sources are used to calculate theposition of the location certification unit and each time differentialis checked with the calculated signal transit time from the calculatedposition to the known location of the source.
 18. A locationcertification unit as in claim 15 wherein said sensor is capable ofreceiving and processing signals received from more than one source andsaid position determining means determines the position of the locationcertification unit based on the messages from at least two sources. 19.A location certification unit as in claim 18 wherein the sources arebeacons, and the location certification unit further comprises atransmitter for sending messages to a beacon that trigger the beaconinto transmitting a response message that includes a time stamp, wherebyit can be verified that the response message is a current message andnot a copied message that is being replayed by comparing the time stampwith the sensor clock time at the time of receipt of the responsemessage.
 20. A location certification unit as in claim 18 furthercomprising a transmitter for sending a message to a beacon that triggersthe beacon into transmitting a response message that includes a timestamp, whereby the total time for the sent message to travel to thebeacon and the response message from the beacon to be sensed at thesensor, adjusted for by beacon delay and internal location certificationunit delay, is divided in half and compared with the difference betweenthe clock time at the time of receipt of the message and the time stampto verify that the response message is valid.
 21. Apparatus forproviding location certificates comprising a location certification unitfor receiving radio signals from two or more beacons, said locationcertification unit including a position determinator and secureauthenticator, said secure authenticator including a private key of aprivate key-public key pair for digitally signing messages sent to arequesting source, a certificate for the public key certifying that thepublic key is in fact the public key of the secure authenticator, areceiver for receiving a time stamp transmitted by a beacon, and aprocessor for determining from the time stamp that a received radiosignal is from a valid beacon, said beacons providing radio signals fromwhich said position determinator can compute its position and saidsecure authenticator can determine that the signals are valid, and atransmitter for sending to said requesting source upon request adigitally signed message including the computed position of saidlocation certificate unit and the certificate for the public key whichpublic key is to be used by the requesting source to verify the signedmessage.
 22. Apparatus as in claim 21 wherein said locationcertification unit is operable to establish a secure two-waycommunication link with said two or more beacons.
 23. Apparatus as inclaim 21 wherein said location certification unit is a component of adigital signature device.
 24. Apparatus as in claim 21 wherein saidlocation certification unit is a component of a satellite signal box.25. A location certification unit comprising a position determinationunit, a secure authorization unit coupled to said position determinationunit, a memory within said secure authorization unit, a digitalsignature key stored in the form of digital data in said memory, saidkey having an associated public key, a certificate for said public key,a sensor for receiving a message from a beacon that includes the clocktime at which the message was transmitted and for processing the messageto retrieve the clock time, the sensor including a clock, said positiondetermination unit computing from the retrieved clock time and the timeof sensing a received message as indicated by the sensor clock theradial distance the location certification unit is from the beaconthereby determining the location of the location certification unit asbeing within a geographical area centered on the beacon, and atransmitter for communicating to a requestor in response to a requestthe certified location of said location unit, said certified locationcomprising the location as determined by said position determining unitsigned with said digital signature key and the certificate for saidpublic key.
 26. A location certification unit as in claim 25 whereinsaid memory further stores a personal identification number and apassword and said location certification unit is a component of acomputer log-on card.
 27. A location certification unit as in claim 25wherein the location certification unit is a component of a digitalsignature device.
 28. A location certification unit as in claim 25wherein the location certification unit is a component of a satellitesignal decoder box.
 29. A location certification unit as in claim 25wherein the message from a beacon includes the digital signature of theclock time at which the message was transmitted, and said sensor hasstored therein the public key of the beacon for verifying the clock timeusing the public key of the beacon.
 30. A location certification unitcomprising: a position determination unit for determining the positionof the location certification unit from received radio signals, a secureauthorization unit coupled to the position determination unit andcomprising a memory, a sensor having a clock for providing clock time,and a transmitter for communicating to a requestor in response to arequest a message containing the certified position of the locationcertification unit as determined by the position determination unit,said memory having stored therein a digital signature key, said clockproviding a clock time for validating a received radio signal, thesignal containing the time at which it was transmitted, sensed by thesensor as being from a valid source, and said certified position of thelocation certification unit comprising ( 1 ) the position of thelocation certification unit as determined by the position determinationunit signed using a digital signature key and ( 2 ) a certificate.
 31. Alocation certification unit as in claim 30, said sensor furthercomprising a processor for processing sensed radio signals to providethe identity of the source of the signal where that information iscontained in the signal, and for decrypting a sensed digitally signedradio signal with a public key of the source of the signal to verify theidentity of the source and the time at which the signal was transmitted.32. A location certification unit as in claim 30 wherein timedifferentials between the time the sensor clock marks a sensed signaland the time at which the signal was sent with respect to a plurality ofsources are used to calculate the position of the location certificationunit and each time differential is checked with the calculated signaltransit time from the calculated position to the known location of thesource.
 33. A location certification unit as in claim 30 wherein saidsensor is capable of receiving and processing signals received from morethan one source and said position determining unit determines theposition of the location certification unit based on the messages fromat least two sources.
 34. A location certification unit as in claim 33wherein the sources are beacons, and the location certification unitfurther comprises a transmitter for sending messages to a beacon thattrigger the beacon into transmitting a response message that includes atime stamp, whereby it can be verified that the response message is acurrent message and not a copied message that is being replayed bycomparing the time stamp with the sensor clock time at the time orreceipt of the response message.
 35. A location certification unit as inclaim 33 further comprising a transmitter for sending a message to abeacon that triggers the beacon into transmitting a response messagethat includes a time stamp, whereby the total time for the sent messageto travel to the beacon and the response message from the beacon to besensed at the sensor, adjusted for by beacon delay and internal locationcertification unit delay, is divided in half and compared with thedifference between the clock time at the time of receipt of the messageand the time stamp to verify that the response message is valid.